1. Here is an article on how trusted authentication works. As far as I understand user level is still stored within Tableau Server.
2. Users information is stored in Tableau's database and can be looked up by userid.
3. When a user signs in they will only see the sites they have permission to.
Q1. A Ticket represents an authenticated user - so there must already BE a user established in Tableau in order for a ticket to be issued. If you ask for a ticket for a user which does not exist, you get a -1 (error) response.
Q3. You define which users can access which sites.
Q4. Same answer as Q3. It's up to you.